Analysis
-
max time kernel
149s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
19-10-2024 22:14
General
-
Target
ade5b633a6bed5b6ddcc500c03ac751ae807c9cd24fc7a0a2cb9757ac4dc4574.apk
-
Size
252KB
-
MD5
ff772b6831382bcab75c71395e6bd7f9
-
SHA1
ace41b67f45af28d7eb8a1f4fd244fc86c3a355f
-
SHA256
ade5b633a6bed5b6ddcc500c03ac751ae807c9cd24fc7a0a2cb9757ac4dc4574
-
SHA512
c87cf6cec398445fc4e44c121063ad339e34fa90dba5460f99ac2352be2b5a48876ed08bcc8f28d62ae775973f57164f2a9bcea327293a5f466e156a84467242
-
SSDEEP
6144:5dvcLXcP0QLGU0ZER7dMzffm7e1CtH1NCyxq9B:5dULXcP0Q6ULGLyiuVNjxy
Malware Config
Extracted
xloader_apk
http://91.204.226.105:28844
Signatures
-
XLoader payload 2 IoCs
-
XLoader, MoqHao
An Android banker and info stealer.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the contacts stored on the device. 1 TTPs 1 IoCs
-
Reads the content of the MMS message. 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Reads information about phone network operator. 1 TTPs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
gjuu.zvjog.aqlwq1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of the MMS message.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests changing the default SMS application.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
2System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
580KB
MD5f51fa0481451ad4df6c3686f2a41e29a
SHA1c38c35f5da0921eedeb256986fbd6bb00314ec0e
SHA2567a60fc73f461b0c1dfb9c9786b44abd00e1c2034440397019a5225631e4679e4
SHA512af7cbefadd5fce52a10daffb4073154dfab2240616669d3050910eb03a254a6d73932caf5db827fd12d35f217bc79e75524c81b41a7740e050468e37ff96efd9
-
Filesize
36B
MD51f10d1872d38b71ebc9e2a14e6ab5861
SHA1046be658a9cf82d75c29cec56f5c5740c6f8f7d8
SHA256ad9c499d79dca49d3458a7d8f64097295ad48fa03f77e0a33ca1ea959eb56242
SHA512af245ca6b0333c7b72a6a0e3d392a1f41a67e0a7e0bc5cafe92168b7c5b307f016271116103bfeab4e4125d2012b7accd26e274640b4f0576bc748047036903e